全部產品
Search
文件中心

Resource Orchestration Service:ALIYUN::CLOUDFW::ControlPolicy

更新時間:Oct 11, 2024

ALIYUN::CLOUDFW::ControlPolicy類型用於添加存取控制策略。

文法

{
  "Type": "ALIYUN::CLOUDFW::ControlPolicy",
  "Properties": {
    "ApplicationName": String,
    "DestPortType": String,
    "Direction": String,
    "Destination": String,
    "Description": String,
    "Proto": String,
    "AclAction": String,
    "Source": String,
    "SourceType": String,
    "DestinationType": String,
    "NewOrder": Integer,
    "DestPort": String,
    "RegionId": String,
    "DestPortGroup": String,
    "Release": Boolean,
    "RepeatType": String,
    "StartTime": Integer,
    "RepeatEndTime": String,
    "DomainResolveType": String,
    "IpVersion": String,
    "RepeatDays": List,
    "EndTime": Integer,
    "RepeatStartTime": String,
    "ApplicationNameList": List
  }
}

屬性

屬性名稱

類型

必須

允許更新

描述

約束

AclAction

String

存取控制策略中設定的流量通過Cloud Firewall的方式。

取值:

  • accept:允許存取。

  • drop:拒絕。

  • log:觀察。

ApplicationName

String

安全性原則支援的應用類型。

取值:

  • ANY

    說明

    ANY表示策略應用在所有類型的應用中。

  • HTTP

  • HTTPS

  • MySQL

  • SMTP

  • SMTPS

  • RDP

  • VNC

  • SSH

  • Redis

  • MQTT

  • MongoDB

  • Memcache

  • SSL

Description

String

安全存取控制策略的描述資訊。

Destination

String

安全存取控制策略中的目的地址。

取值:

  • 當DestinationType為net時,Destination為目的CIDR。例如:10.10.XX.XX/24。

  • 當DestinationType為group時,Destination為目的地址簿名稱。例如:db_group。

  • 當DestinationType為domain時,Destination為目的網域名稱。例如:*.example.com。

  • 當DestinationType為location時,Destination為目的地區。例如:["BJ11", "ZB"]

    Destination的具體地區位置編碼,請參見地區編號

DestinationType

String

安全存取控制策略中的目的地址類型。

取值:

  • net:目的網段(CIDR)。

  • group:目的地址簿。

  • domain:目的網域名稱。

  • location:目的地區。

Direction

String

安全存取控制策略的流量方向。

取值:

  • in:外對內流量存取控制。

  • out:內對外流量存取控制。

NewOrder

Integer

安全存取控制策略生效的優先順序。

優先順序數字從1開始順序遞增,優先順序數字越大,優先順序越低。

重要

1表示優先順序最高,-1表示優先順序最低。

Proto

String

安全存取控制策略中流量訪問的安全性通訊協定類型。

取值:

  • ANY

    說明

    不確定具體協議類型時可設定為ANY。

  • TCP

  • UDP

  • ICMP

Source

String

安全存取控制策略中的源地址。

取值:

  • 當SourceType為net時,Source為源CIDR。例如:10.10.XX.XX/24。

  • 當SourceType為group時,Source為源地址簿名稱。例如:db_group。

  • 當SourceType為location時,Source為來源區域。例如:["BJ11", "ZB"]

    Source的具體地區位置編碼,請參見地區編號

SourceType

String

安全存取控制策略中的源地址類型。

取值:

  • net:源網段(CIDR)。

  • group:源地址簿。

  • location:來源區域。

DestPort

String

安全存取控制策略中流量訪問的目的連接埠。

當DestPortType為port時,設定該項。

DestPortGroup

String

安全存取控制策略中流量訪問的目的連接埠地址簿名稱。

當DestPortType為group時,設定該參數。

DestPortType

String

安全存取控制策略中流量訪問的目的連接埠類型。

取值:

  • port:連接埠。

  • group:連接埠地址簿。

RegionId

String

地區。

取值:

  • cn-hangzhou(預設值)

  • ap-southeast-1

Release

Boolean

存取控制策略的啟用狀態。

策略建立後預設啟用該策略。取值:

  • true:啟用存取控制策略

  • false:不啟用存取控制策略

RepeatType

String

存取控制策略的策略有效期間的重複類型。

取值:

  • Permanent(預設):總是

  • None:指定單次時間

  • Daily:每天

  • Weekly:每周

  • Monthly:每月

StartTime

Integer

存取控制策略的策略有效期間的開始時間。

使用秒級時間戳記格式表示。必須為整點或半點鐘時間,且小於結束時間至少半小時。

說明

當 RepeatType 為 Permanent 時,StartTime 為空白。當 RepeatType 為 None、Daily、Weekly、Monthly 時,StartTime 必須有值,您需要設定開始時間。

RepeatEndTime

String

存取控制策略的策略有效期間的重複結束時間。

例如:23:30,必須為整點或半點鐘時間,且大於重複開始時間至少半小時。

說明

當 RepeatType 為 Permanent、None 時,RepeatEndTime 為空白。當 RepeatType 為 Daily、Weekly、Monthly 時,RepeatEndTime 必須有值,您需要設定重複結束時間。

DomainResolveType

String

存取控制策略的網域名稱解析方式。

策略建立後預設啟用該策略。取值:

  • 0:基於 FQDN

  • 1:基於 DNS 動態解析

  • 2:基於 FQDN 與 DNS 動態解析

IpVersion

String

Cloud Firewall防護的資產的 IP 版本。

取值:

  • 4(預設):IPv4。

  • 6:IPv6。

RepeatDays

List

存取控制策略的策略有效期間的重複日期集合。

  • 當 RepeatType 為PermanentNoneDaily時,RepeatDays 為空白集合。 例如:[]

  • 當 RepeatType 為 Weekly 時,RepeatDays 不可為空。 例如:[0, 6]

說明

RepeatType 設定為 Weekly 時,RepeatDays 不允許重複。

  • 當 RepeatType 為Monthly時,RepeatDays 不可為空。 例如:[1, 31]

說明

RepeatType 設定為 Monthly 時,RepeatDays 不允許重複。

EndTime

Integer

存取控制策略的策略有效期間的結束時間。

使用秒級時間戳記格式表示。必須為整點或半點鐘時間,且大於開始時間至少半小時。

說明

當 RepeatType 為 Permanent 時,EndTime 為空白。當 RepeatType 為 None、Daily、Weekly、Monthly 時,EndTime 必須有值,您需要設定結束時間。

RepeatStartTime

String

存取控制策略的策略有效期間的重複開始時間。

例如:08:00,必須為整點或半點鐘時間,且小於重複結束時間至少半小時。

說明

當 RepeatType 為 Permanent、None 時,RepeatStartTime 為空白。當 RepeatType 為 Daily、Weekly、Monthly 時,RepeatStartTime 必須有值,您需要設定重複開始時間。

ApplicationNameList

List

應用程式名稱。

地區編號

中國和海外地區編號

地區

編號

中國

ZD

海外

ZB

中國編號

地區

編號

北京市

BJ11

天津市

TJ12

河北省

HB13

山西省

SX14

遼寧省

LN21

吉林省

JL22

上海市

SH31

江蘇省

JS32

浙江省

ZJ33

安徽省

AH34

福建省

FJ35

江西省

JX36

山東省

SD37

河南省

HN41

湖北省

HB42

湖南省

HN43

廣東省

GD44

海南省

HN46

重慶市

CQ50

四川省

SC51

貴州省

GZ52

雲南省

YN53

陝西省

SX61

甘肅省

GS62

青海省

QH63

黑龍江省

HLJ23

西藏自治區

XZ54

廣西壯族自治區

GX45

內蒙古自治區

NMG15

寧夏回族自治區

NX64

新疆維吾爾自治區

XJ65

中國台灣

TW

中國香港特別行政區

HK

中國澳門特別行政區

MO

海外地區編號

地區

編號

亞洲(中國除外)

ZC

歐洲

EU

非洲

AF

北美洲

NA

南美洲

LA

大洋洲

OA

南極洲

AQ

傳回值

Fn::GetAtt

AclUuid:安全存取控制策略的唯一標識ID。

樣本

YAML格式

ROSTemplateFormatVersion: '2015-09-01'
Resources:
  ControlPolicy:
    Type: ALIYUN::CLOUDFW::ControlPolicy
    Properties:
      ApplicationName:
        Ref: ApplicationName
      DestPortType:
        Ref: DestPortType
      Direction:
        Ref: Direction
      AclAction:
        Ref: AclAction
      Description:
        Ref: Description
      Proto:
        Ref: Proto
      Destination:
        Ref: Destination
      Source:
        Ref: Source
      DestinationType:
        Ref: DestinationType
      NewOrder:
        Ref: NewOrder
      DestPortGroup:
        Ref: DestPortGroup
      DestPort:
        Ref: DestPort
      RegionId:
        Ref: RegionId
      SourceType:
        Ref: SourceType
Parameters:
  ApplicationName:
    Type: String
    Description: 'Application types supported by the security policy. The following
      types of applications are supported: ANY, HTTP, HTTPS, MySQL, SMTP, SMTPS, RDP,
      VNC, SSH, Redis, MQTT, MongoDB, Memcache, SSL. NOTE ANY indicates that the policy
      is applied to all types of applications.'
    AllowedValues:
    - ANY
    - HTTP
    - HTTPS
    - MQTT
    - Memcache
    - MongoDB
    - MySQL
    - RDP
    - Redis
    - SMTP
    - SMTPS
    - SSH
    - SSL
    - VNC
  DestPortType:
    Type: String
    Description: 'Security access control policy access destination port traffic type.
      port: Port group: port address book'
    AllowedValues:
    - group
    - port
  Direction:
    Type: String
    Description: 'Security access control traffic direction policies. in: internal
      and external traffic access control. out: within the flow of external access
      control'
    AllowedValues:
    - in
    - out
  AclAction:
    Type: String
    Description: 'Traffic access control policy set by the cloud of a firewall. accept:
      Release. drop: rejected. log: Observation'
    AllowedValues:
    - accept
    - drop
    - log
  Description:
    MinLength: 1
    Type: String
    Description: Security access control policy description information.
  Proto:
    Type: String
    Description: 'The type of security protocol for traffic access in the security
      access control policy. Can be set to ANY when you are not sure of the specific
      protocol type. Allowed values: ANY, TCP, UDP, ICMP'
    AllowedValues:
    - ANY
    - ICMP
    - TCP
    - UDP
  Destination:
    MinLength: 1
    Type: String
    Description: 'Security Access Control destination address policy. When DestinationType
      is net, Destination purpose CIDR. For example: 192.168.XX.XX/24. When DestinationType
      as a group, Destination for the purpose of the address book name. For example:
      db_group. When DestinationType for the domain, Destination for the purpose of
      a domain name. For example:. * example.com. When DestinationType as location,
      Destination area for the purpose (see below position encoding specific regions).
      For example: [ "BJ11", "ZB"]'
  Source:
    MinLength: 1
    Type: String
    Description: 'Security access control source address policy. When SourceType for
      the net, Source is the source CIDR. For example: 192.168.XX.XX/24. When SourceType
      as a group, Source name for the source address book. For example: db_group.
      When SourceType as location, Source source region (specific region position
      encoder see below). For example, [ "BJ11", "ZB"]'
  DestinationType:
    Type: String
    Description: 'Security Access Control destination address type of policy. net:
      Destination network segment (CIDR). group: destination address book. domain:
      The purpose domain. location: The purpose area'
    AllowedValues:
    - domain
    - group
    - location
    - net
  NewOrder:
    Type: Number
    Description: Security access control priority policy in force. Priority number
      increments sequentially from 1, lower the priority number, the higher the priority.
      Description -1 indicates the lowest priority.
    MinValue: -1
  DestPortGroup:
    Type: String
    Description: Security access control policy access traffic destination port address
      book name. Description DestPortType is group, set the item.
  DestPort:
    Type: String
    Description: Security access control policy access traffic destination port. Note
      When DestPortType to port, set the item.
  RegionId:
    Default: cn-hangzhou
    Type: String
    Description: Region ID. Default to cn-hangzhou.
    AllowedValues:
    - cn-hangzhou
    - ap-southeast-1
  SourceType:
    Type: String
    Description: 'Security access control source address type of policy. net: Source
      segment (CIDR). group: source address book. location: the source area'
    AllowedValues:
    - group
    - location
    - net
Outputs:
  AclUuid:
    Description: Security access control ID that uniquely identifies the policy.
    Value:
      Fn::GetAtt:
      - ControlPolicy
      - AclUuid

JSON格式

{
  "ROSTemplateFormatVersion": "2015-09-01",
  "Resources": {
    "ControlPolicy": {
      "Type": "ALIYUN::CLOUDFW::ControlPolicy",
      "Properties": {
        "ApplicationName": {
          "Ref": "ApplicationName"
        },
        "DestPortType": {
          "Ref": "DestPortType"
        },
        "Direction": {
          "Ref": "Direction"
        },
        "AclAction": {
          "Ref": "AclAction"
        },
        "Description": {
          "Ref": "Description"
        },
        "Proto": {
          "Ref": "Proto"
        },
        "Destination": {
          "Ref": "Destination"
        },
        "Source": {
          "Ref": "Source"
        },
        "DestinationType": {
          "Ref": "DestinationType"
        },
        "NewOrder": {
          "Ref": "NewOrder"
        },
        "DestPortGroup": {
          "Ref": "DestPortGroup"
        },
        "DestPort": {
          "Ref": "DestPort"
        },
        "RegionId": {
          "Ref": "RegionId"
        },
        "SourceType": {
          "Ref": "SourceType"
        }
      }
    }
  },
  "Parameters": {
    "ApplicationName": {
      "Type": "String",
      "Description": "Application types supported by the security policy. The following types of applications are supported: ANY, HTTP, HTTPS, MySQL, SMTP, SMTPS, RDP, VNC, SSH, Redis, MQTT, MongoDB, Memcache, SSL. NOTE ANY indicates that the policy is applied to all types of applications.",
      "AllowedValues": [
        "ANY",
        "HTTP",
        "HTTPS",
        "MQTT",
        "Memcache",
        "MongoDB",
        "MySQL",
        "RDP",
        "Redis",
        "SMTP",
        "SMTPS",
        "SSH",
        "SSL",
        "VNC"
      ]
    },
    "DestPortType": {
      "Type": "String",
      "Description": "Security access control policy access destination port traffic type. port: Port group: port address book",
      "AllowedValues": [
        "group",
        "port"
      ]
    },
    "Direction": {
      "Type": "String",
      "Description": "Security access control traffic direction policies. in: internal and external traffic access control. out: within the flow of external access control",
      "AllowedValues": [
        "in",
        "out"
      ]
    },
    "AclAction": {
      "Type": "String",
      "Description": "Traffic access control policy set by the cloud of a firewall. accept: Release. drop: rejected. log: Observation",
      "AllowedValues": [
        "accept",
        "drop",
        "log"
      ]
    },
    "Description": {
      "MinLength": 1,
      "Type": "String",
      "Description": "Security access control policy description information."
    },
    "Proto": {
      "Type": "String",
      "Description": "The type of security protocol for traffic access in the security access control policy. Can be set to ANY when you are not sure of the specific protocol type. Allowed values: ANY, TCP, UDP, ICMP",
      "AllowedValues": [
        "ANY",
        "ICMP",
        "TCP",
        "UDP"
      ]
    },
    "Destination": {
      "MinLength": 1,
      "Type": "String",
      "Description": "Security Access Control destination address policy. When DestinationType is net, Destination purpose CIDR. For example: 192.168.XX.XX/24. When DestinationType as a group, Destination for the purpose of the address book name. For example: db_group. When DestinationType for the domain, Destination for the purpose of a domain name. For example:. * example.com. When DestinationType as location, Destination area for the purpose (see below position encoding specific regions). For example: [ \"BJ11\", \"ZB\"]"
    },
    "Source": {
      "MinLength": 1,
      "Type": "String",
      "Description": "Security access control source address policy. When SourceType for the net, Source is the source CIDR. For example: 192.168.XX.XX/24. When SourceType as a group, Source name for the source address book. For example: db_group. When SourceType as location, Source source region (specific region position encoder see below). For example, [ \"BJ11\", \"ZB\"]"
    },
    "DestinationType": {
      "Type": "String",
      "Description": "Security Access Control destination address type of policy. net: Destination network segment (CIDR). group: destination address book. domain: The purpose domain. location: The purpose area",
      "AllowedValues": [
        "domain",
        "group",
        "location",
        "net"
      ]
    },
    "NewOrder": {
      "Type": "Number",
      "Description": "Security access control priority policy in force. Priority number increments sequentially from 1, lower the priority number, the higher the priority. Description -1 indicates the lowest priority.",
      "MinValue": -1
    },
    "DestPortGroup": {
      "Type": "String",
      "Description": "Security access control policy access traffic destination port address book name. Description DestPortType is group, set the item."
    },
    "DestPort": {
      "Type": "String",
      "Description": "Security access control policy access traffic destination port. Note When DestPortType to port, set the item."
    },
    "RegionId": {
      "Default": "cn-hangzhou",
      "Type": "String",
      "Description": "Region ID. Default to cn-hangzhou.",
      "AllowedValues": [
        "cn-hangzhou",
        "ap-southeast-1"
      ]
    },
    "SourceType": {
      "Type": "String",
      "Description": "Security access control source address type of policy. net: Source segment (CIDR). group: source address book. location: the source area",
      "AllowedValues": [
        "group",
        "location",
        "net"
      ]
    }
  },
  "Outputs": {
    "AclUuid": {
      "Description": "Security access control ID that uniquely identifies the policy.",
      "Value": {
        "Fn::GetAtt": [
          "ControlPolicy",
          "AclUuid"
        ]
      }
    }
  }
}